Massive Attack from New "Leet Botnet" Reaches 650 Gbps

Just before Christmas, Imperva found its network under a massive DDoS assault that reached 650 Gbps (Gigabit per second), making it one of the largest known DDoS attacks on record.

Powered by what Imperva is calling the Leet Botnet, the attack occurred on the morning of Dec. 21, and was delivered against several anycasted IPs on the Imperva Incapsula network.

While precise device attribution is not yet possible, it seems likely that, like Mirai, it uses thousands of compromised IoT devices.

“Due to IP spoofing, it's hard to accurately identify the devices used in this attack,” Avishay Zawoznik, security research specialist for the Incapsula product line at Imperva, told SecurityWeek. “We did, however, find some reliable clues in the payload's content. Here, manual analyses of individual payloads pointed to some type of Linux device. For instance, some were ‘stuffed’ with the details of the proc filesystem (/proc) folder, which is specific to Unix-like systems.”

In an analysis of the attack, Imperva assumes that the attacker could not locate the specific target hidden behind Imperva proxies -- and chose instead to attack the cloud-based service itself.

The attack came in two waves. The first lasted 20 minutes and peaked at 400 Gbps. This failed in its purpose. "The offender regrouped and came back for a second round," reports Imperva. "This time enough botnet 'muscle' to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps)."

The second wave lasted around 17 minutes, and also failed. "Out of options, the offender wised up and ceased his assault."

Hidden behind spoofed IP addresses, it was impossible to locate the geographical location of the attacking devices; but Imperva was able to analyze the content of the packets being used. Although similar in size to the Mirai attack on KrebsOnSecurity in October, it was immediately clear that this was different. (There have been some suggestions that the Mirai attack against DNS service provider Dyn could have exceeded 1 Tbps.)

Leet's name comes from a 'signature' within the packets. "In the TCP Options header of these packets, the values were arranged so they would spell '1337'. To the uninitiated, this is leetspeak for 'leet', or 'elite'," notes Imperva.

Two separate payloads were used: regular SYN packets (44 to 60 bytes), and abnormally large SYN packets (799 to 936 bytes). The content of the large packets was taken from the compromised devices and scrambled. The result is an inexhaustible supply of obfuscated and randomized payloads that can bypass any signature-based defenses that mitigate attacks by identifying similarities in packet content.

Imperva suggests that the new Leet botnet, rivalling Mirai in capacity, is merely a sign of things to come. With an ever-increasing supply of insecure IoT devices, "like we said, it's about to get a lot worse."

There is no immediate solution beyond preparation as far as possible. "Organisations should be prepared to mitigate DDoS attacks and be prepared to get back up and running once the attack is over," suggests F-Secure security advisor Sean Sullivan. "DDoS attacks cannot be prevented; being prepared to reduce downtime in the aftermath lessens the threat of DDoS. Extortionists will move on to weaker targets that are less prepared."

In the longer term, the solution to IoT-based botnets will probably have to be regulation. Governments are reluctant to regulate the internet for fear of inhibiting innovation; but there comes a point when it is the only solution. The security industry has been warning about IoT insecurity for years, but manufacturers have still rushed out new and insecure product to gain early market share.

Regulation already exists in other industries -- health and engineering, for example. Making IoT manufacturers more clearly legally liable for the effect of insecurity may be a step too difficult. Required security certification might help, but would probably not be enough. But a few seriously heavy fines from a regulator against the worst offenders would make developers take more care over their security.

In the short term, warns Sullivan, "There's little hope that networking and IoT equipment will become more secure, although ISPs could empower their security teams to run cleaner networks."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.